NGINX Reverse Proxy for HA

ninjadog · February 28, 2020, 6:58pm

Using latest Home Assistant installed as a Python venv .Was working fine.

I then installed NGINX and followed this guide:

However, I’m getting errors:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
   # Update this line to be your domain
   server_name x.y.z;

   # These shouldn't need to be changed
   listen [::]:80 default_server ipv6only=off;
   return 301 https://$host$request_uri;
}

server {
    # Update this line to be your domain
    server_name x.y.z;

    # Ensure these lines point to your SSL certificate and key
    # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    # Use these lines instead if you created a self-signed certificate
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;


    # These shouldn't need to be changed
    listen [::]:443 ssl default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    # ssl on; # Uncomment if you are using nginx < 1.15.0
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://127.0.0.1:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

yields:

daz@pi:~ $ sudo nginx -t
nginx: [emerg] a duplicate default server for [::]:80 in /etc/nginx/sites-enabled/x.y.z:11 nginx: configuration file /etc/nginx/nginx.conf test failed

If I remove the first server block to comment it out

#server {
#  # Update this line to be your domain
#   server_name x.y.z;
#
#   # These shouldn't need to be changed
#   listen [::]:80 default_server ipv6only=off;
#  return 301 https://$host$request_uri;
#}

Yields

daz@pi:~ $ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

And in both cases, I still get errors from journalctl ,

Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 INFO (MainThread) [homeassistant.components.switch] Setting up switch.zwave
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of mqtt. Setup failed for dependencies: http
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to prepare setup for platform mqtt.light: Could not set up all dependencies.
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of mqtt. Setup failed for dependencies: http
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to prepare setup for platform mqtt.light: Could not set up all dependencies.
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 INFO (MainThread) [homeassistant.setup] Setup of domain person took 0.8 seconds.
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of onboarding. Setup failed for dependencies: auth, http
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Setup failed for onboarding: Could not set up all dependencies.
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of mobile_app. Setup failed for dependencies: http, webhook
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Setup failed for mobile_app: Could not set up all dependencies.
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 INFO (MainThread) [homeassistant.setup] Setup of domain light took 0.1 seconds.
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of frontend. Setup failed for dependencies: api, auth, http, onboarding, search, system_log, websocket_api
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Setup failed for frontend: Could not set up all dependencies.
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 INFO (MainThread) [homeassistant.components.light] Setting up light.zwave
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of map. Setup failed for dependencies: frontend
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Setup failed for map: Could not set up all dependencies.
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of logbook. Setup failed for dependencies: frontend, http
Feb 28 18:55:13 pi hass[17186]: 2020-02-28 18:55:13 ERROR (MainThread) [homeassistant.setup] Setup failed for logbook: Could not set up all dependencies.
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 INFO (MainThread) [homeassistant.components.updater] Submitted analytics to Home Assistant servers. Information submitted includes {}
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 INFO (MainThread) [homeassistant.setup] Setup of domain updater took 3.0 seconds.
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 INFO (MainThread) [homeassistant.components.binary_sensor] Setting up binary_sensor.updater
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of default_config. Setup failed for dependencies: automation, cloud, config, frontend, history, logbook, map, mobile_app, system_health, zeroconf
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 ERROR (MainThread) [homeassistant.setup] Setup failed for default_config: Could not set up all dependencies.
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 ERROR (MainThread) [homeassistant.setup] Unable to set up dependencies of tts. Setup failed for dependencies: http
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 ERROR (MainThread) [homeassistant.setup] Setup failed for tts: Could not set up all dependencies.
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 INFO (MainThread) [homeassistant.bootstrap] Home Assistant initialized in 4.61s
Feb 28 18:55:14 pi hass[17186]: 2020-02-28 18:55:14 WARNING (MainThread) [homeassistant.bootstrap] Detected that frontend did not load. Activating safe mode
Feb 28 18:55:18 pi hass[17186]: 2020-02-28 18:55:18 INFO (MainThread) [homeassistant.bootstrap] Starting in safe mode

configuration.yaml

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
# http:
#   base_url: example.duckdns.org:8123

# Text to speech
tts:
  - platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

http:
  # For extra security set this to only accept connections on localhost if NGINX is on the same machine
  #server_host: 127.0.0.1
  # Update this line to be your domain
  base_url: https://x.y.z;
  use_x_forwarded_for: true
  # You must set the trusted proxy IP address so that Home Assistant will properly accept connections
  # Set this to your NGINX machine IP, or localhost if hosted on the same machine.
  trusted_proxies: localhost

I dont understand , just following these guides ?? Please help

jocnnor · February 28, 2020, 10:24pm

Make sure you remove all of the files in /etc/nginx/sites-enabled. Then make sure the default is linked to your /etc/nginx/sites-available/haas file.

By removing your first server line, you aren’t going to redirect any port 80 requests to the encrypted server. My guess is you have another file in the sites-enabled folder which also is defining a server for port :80. If so, remove it and readd the port 80 server line in the config.

Also, should probably edit your post to remove your actual url from here. I was able to access it (well, get to the login page). Just replace the text with something i.e. (base_url: <redacted>)

Also, remove the tts google_translate integration for now. I’m not sure google translate will work with your self signed certificates. Many of the google/alexa services wont work with self signed certs. Because you’re using duckdns, I recommend using the free lets-encrypt part of it to get real certificates.

Finally, check the actual log for more info (/home/homeassistant/.homeassistant/homeassistant.log). It might be able to point you in the right direction.

ninjadog · February 29, 2020, 3:58pm

Yep, Thanks Jim, Cheers bud!

I had two files in sites-enabled dir. Schoolboy error, I cd’d into the dirs to make things easy, switching between Xterms and wrongly working in sites-available. Right, that’s that sorted

However,

Can you help a little more please?

All working, I can access over http via www and by https however using google the https is reporting **Unsafe - invalid certificate **". I didnt get any errors when generating the cert nor did dhparams throw an error although it did take a long time to complete.

I went to www.whynopadlock.com and it reports:-
SSL Connection - Errors

SSL Certificate Info: -
Certificate Issuer: ninjadog
Certificate Type: ninjadog-openssl
Issued On: 2020-02-28

Force HTTPS: - Your webserver is forcing the use of SSL.
Self Signed Certificate: - Your SSL certificate appears to be self signed. Browsers will display an error whenever someone attempts to visit your site.
Domain Matching: - Your SSL certificate does not match your domain name!
Protected Domains: - No Domains Listed**
Signature: - Your SSL certificate is using a sha256 signature!

Jim, the instructions are all about self signing so I dont understand why the error? Is there a way of fixing this? My competence stopped at checking my cert with whynopadlock.com. I have never done this before .?

p.s. thanks for the security tip! fixed. it.

jocnnor · February 29, 2020, 4:05pm

Google services wont allow self signed certificates. So the tts component wont work until you use a signed one. Its all valid to use personally, but google (and alexa) and many other services won’t allow it.

You should look up how to use “LetsEncrypt” for your certificate rather than the self signed one.

ninjadog · March 2, 2020, 3:11pm

Ah, right, might be worth mentioning that in the HA docs.
Jeez, could of saved myself a whole load of effort trying to get it working over the weekend.
thanks for educating me.

jocnnor · March 2, 2020, 4:49pm

Ha, I did the same thing!

Well, first thing I did was self signed NGINX which worked fine. Then maybe a month later learned all of this and had to switch.

These services require a non-self signed cert AND port 443. I originally had it on a different port for more ‘security through obscurity’. Oh well.

ninjadog · March 3, 2020, 8:27pm

ha, thanks for the words of comfort